背景介绍
在 Ubuntu 22.04 LTS
下更新源 apt-get update
遇到了Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
这样的警告。
虽然说警告并不影响执行,但是作为有重度代码强迫症和代码洁癖的患者看着还是很难受,所以还是解决一下吧。
为了讲清楚这个问题我用安装 Docker
和安装 Kubernetes
这两个作为案例。
问题重现
一般情况下,Ubuntu
通过 apt-get
安装软件之前需要将系统的源改成本地源以达到加快下载速度的目的,比如改成:阿里、清华、网易这些源。
修改软件源之后就需要通过 apt-get update
命令更新软件源了,但是在 Ubuntu 22.04 LTS
下就出现问题了。
root@k8s-worker-01:/etc/apt# apt-get update
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (2909 B/s)
Reading package lists... Done
W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
这个警告大概的意思是我们把软件包的秘钥保存到了 /etc/apt/trusted.gpg
这个老版本系统的文件里。
这里系统提示只是告诉你新版系统不能把秘钥放在 /etc/apt/trusted.gpg
里,但是没告诉我们新版系统的秘钥究竟要放在那里。
解决方案
其实答案很简单,就在 /etc/apt/trusted.gpg.d
目录下。
root@k8s-worker-01:/etc/apt# ls trusted.gpg.d/
ubuntu-keyring-2012-cdimage.gpg ubuntu-keyring-2018-archive.gpg
可以看到,已经有两个系统秘钥文件了。
现在我就以安装 Docker
和 Kubernetes
的整个过程来解决这个问题。
1. 添加秘钥
添加 Docker key
curl https://download.docker.com/linux/ubuntu/gpg | apt-key add -
添加 Kubernetes key:
curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
添加完秘钥之后你会发现 /etc/apt
目录下多了一个 trusted.gpg
文件:
root@k8s-worker-01:/etc/apt# ls
apt.conf.d keyrings sources.list sources.list.d trusted.gpg.d
auth.conf.d preferences.d sources.list.bak trusted.gpg
2. 添加软件源
添加 docker 软件源:
cat > /etc/apt/sources.list.d/docker.list << EOF
deb https://download.docker.com/linux/ubuntu jammy stable
EOF
添加 Kubernetes 软件源:
cat > /etc/apt/sources.list.d/kubernetes.list << EOF
deb https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial main
EOF
3. 更新源
因为我们添加了两条秘钥,所以在更新源的时候就会出现两条警告:
root@k8s-worker-01:/etc/apt# apt-get update
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (2909 B/s)
Reading package lists... Done
W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://mirrors.aliyun.com/kubernetes/apt/dists/kubernetes-xenial/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
4. 查询秘钥
通过 apt-key list
查询服务器上所有的秘钥:
root@k8s-worker-01:/etc/apt# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa2048 2022-05-21 [SC]
A362 B822 F6DE DC65 2817 EA46 B53D C80D 13ED EF05
uid [ unknown] Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sub rsa2048 2022-05-21 [E]
pub rsa4096 2017-02-22 [SCEA]
9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
uid [ unknown] Docker Release (CE deb) <[email protected]>
sub rsa4096 2017-02-22 [S]
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>
根据输出的信息可知,服务器上一共有 3 个文件和 4 个秘钥,其中最上面的两个是我们刚刚安装的秘钥,信息存储在 /etc/apt/trusted.gpg
这个文件中,系统自带秘钥不用去管它。
5. 导出秘钥
根据上诉输出的信息可知,每个秘钥的第二行都有一串十六进制的编码,这个编码就是这个秘钥的 id
:
A362 B822 F6DE DC65 2817 EA46 B53D C80D 13ED EF05
9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
找到导致 apt-get update
警告的秘钥然后导出:
apt-key export 13EDEF05 | gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
apt-key export 0EBFCD88 | gpg --dearmour -o /etc/apt/trusted.gpg.d/kubernetes.gpg
注意:导出时的秘钥只需要后 8 位的 id
即可,而且 id
之间没有空格。
导出后你会发现在 /etc/apt/trusted.gpg.d
目录下多了两个二进制文件,这两个二进制文件就是我们刚刚导出的:
root@k8s-worker-01:/etc/apt/trusted.gpg.d# ls
ubuntu-keyring-2012-cdimage.gpg ubuntu-keyring-2018-archive.gpg
root@k8s-worker-01:/etc/apt/trusted.gpg.d# apt-key export 13EDEF05 | gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
root@k8s-worker-01:/etc/apt/trusted.gpg.d# apt-key export 0EBFCD88 | gpg --dearmour -o /etc/apt/trusted.gpg.d/kubernetes.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
root@k8s-worker-01:/etc/apt/trusted.gpg.d# ls
docker.gpg kubernetes.gpg ubuntu-keyring-2012-cdimage.gpg ubuntu-keyring-2018-archive.gpg
6. 删除秘钥
将秘钥导出后就可以把/etc/apt
目录下 trusted.gpg
文件删除了:
root@k8s-worker-01:/etc/apt# ls
apt.conf.d keyrings sources.list sources.list.d trusted.gpg.d
auth.conf.d preferences.d sources.list.bak trusted.gpg trusted.gpg~
root@k8s-worker-01:/etc/apt# rm trusted.gpg trusted.gpg~
root@k8s-worker-01:/etc/apt# ls
apt.conf.d auth.conf.d keyrings preferences.d sources.list sources.list.bak sources.list.d trusted.gpg.d
最后再通过 apt-key list
查询一下服务器上所有的秘钥:
root@k8s-worker-01:/etc/apt# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/docker.gpg
---------------------------------
pub rsa2048 2022-05-21 [SC]
A362 B822 F6DE DC65 2817 EA46 B53D C80D 13ED EF05
uid [ unknown] Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sub rsa2048 2022-05-21 [E]
/etc/apt/trusted.gpg.d/kubernetes.gpg
-------------------------------------
pub rsa4096 2017-02-22 [SCEA]
9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88
uid [ unknown] Docker Release (CE deb) <[email protected]>
sub rsa4096 2017-02-22 [S]
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>
7. 再次更新源
根据上诉输出的信息可知,服务器上现在一共有 4 个文件和 4 个秘钥,其中最上面的两个是我们刚刚添加到 /etc/apt/trusted.gpg.d
目录下的。
通过 apt-get update
命令尝试再次更新源:
root@k8s-worker-01:/etc/apt# apt-get update
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (3491 B/s)
Reading package lists... Done
结果输出后发现并没有任何警告,完全符合预期,完美解决!